Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2017-11671

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Published: Jul 26, 2017 | Modified: Apr 12, 2018
CVSS 3.x
4
MEDIUM
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
2.1 LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
5.6 LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Ubuntu
LOW
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2017-11671
CWEhttps://cwe.mitre.org/data/definitions/338.html

Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.

Weakness

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG’s algorithm is not cryptographically strong.

Affected Software

Name Vendor Start Version End Version
Gcc Gnu 4.6 (including) 4.6 (including)
Gcc Gnu 4.7 (including) 4.7 (including)
Gcc Gnu 4.8 (including) 4.8 (including)
Gcc Gnu 4.9 (including) 4.9 (including)
Gcc Gnu 5.0 (including) 5.0 (including)
Gcc Gnu 5.1 (including) 5.1 (including)
Gcc Gnu 5.2 (including) 5.2 (including)
Gcc Gnu 5.3 (including) 5.3 (including)
Gcc Gnu 5.4 (including) 5.4 (including)
Gcc Gnu 6.0 (including) 6.0 (including)
Gcc Gnu 6.1 (including) 6.1 (including)
Gcc Gnu 6.2 (including) 6.2 (including)
Gcc Gnu 6.3 (including) 6.3 (including)
Red Hat Enterprise Linux 7 RedHat gcc-0:4.8.5-28.el7 *
Gcc-3.3 Ubuntu artful *
Gcc-3.3 Ubuntu bionic *
Gcc-3.3 Ubuntu cosmic *
Gcc-3.3 Ubuntu disco *
Gcc-3.3 Ubuntu eoan *
Gcc-3.3 Ubuntu groovy *
Gcc-3.3 Ubuntu hirsute *
Gcc-3.3 Ubuntu impish *
Gcc-3.3 Ubuntu kinetic *
Gcc-3.3 Ubuntu lunar *
Gcc-3.3 Ubuntu mantic *
Gcc-3.3 Ubuntu trusty *
Gcc-3.3 Ubuntu xenial *
Gcc-3.3 Ubuntu zesty *
Gcc-4.4 Ubuntu trusty *
Gcc-4.6 Ubuntu precise/esm *
Gcc-4.6 Ubuntu trusty *
Gcc-4.7 Ubuntu trusty *
Gcc-4.7 Ubuntu xenial *
Gcc-4.7 Ubuntu zesty *
Gcc-4.7-armel-cross Ubuntu trusty *
Gcc-4.7-armel-cross Ubuntu xenial *
Gcc-4.7-armel-cross Ubuntu zesty *
Gcc-4.7-armhf-cross Ubuntu trusty *
Gcc-4.7-armhf-cross Ubuntu xenial *
Gcc-4.7-armhf-cross Ubuntu zesty *
Gcc-4.8 Ubuntu artful *
Gcc-4.8 Ubuntu bionic *
Gcc-4.8 Ubuntu cosmic *
Gcc-4.8 Ubuntu trusty *
Gcc-4.8 Ubuntu xenial *
Gcc-4.8 Ubuntu zesty *
Gcc-4.8-arm64-cross Ubuntu trusty *
Gcc-4.8-arm64-cross Ubuntu xenial *
Gcc-4.8-armhf-cross Ubuntu trusty *
Gcc-4.8-armhf-cross Ubuntu xenial *
Gcc-4.8-powerpc-cross Ubuntu trusty *
Gcc-4.8-powerpc-cross Ubuntu xenial *
Gcc-4.8-ppc64el-cross Ubuntu trusty *
Gcc-4.8-ppc64el-cross Ubuntu xenial *
Gcc-4.9 Ubuntu vivid/ubuntu-core *
Gcc-4.9 Ubuntu xenial *
Gcc-4.9 Ubuntu zesty *
Gcc-5 Ubuntu artful *
Gcc-5 Ubuntu esm-infra/xenial *
Gcc-5 Ubuntu upstream *
Gcc-5 Ubuntu xenial *
Gcc-5 Ubuntu zesty *
Gcc-5-cross Ubuntu artful *
Gcc-5-cross Ubuntu xenial *
Gcc-5-cross Ubuntu zesty *
Gcc-6 Ubuntu artful *
Gcc-6 Ubuntu upstream *
Gcc-6 Ubuntu zesty *
Gcc-6-cross Ubuntu artful *
Gcc-6-cross Ubuntu upstream *
Gcc-6-cross Ubuntu zesty *
Gcc-6-cross-ports Ubuntu artful *
Gcc-6-cross-ports Ubuntu upstream *
Gcc-6-cross-ports Ubuntu zesty *
Gcc-7 Ubuntu artful *
Gcc-7 Ubuntu upstream *
Gcc-7-cross Ubuntu artful *
Gcc-7-cross-ports Ubuntu artful *
Gcc-arm-linux-androideabi Ubuntu trusty *
Gcc-arm-linux-androideabi Ubuntu xenial *
Gcc-arm-linux-androideabi Ubuntu zesty *
Gcc-arm-none-eabi Ubuntu artful *
Gcc-arm-none-eabi Ubuntu bionic *
Gcc-arm-none-eabi Ubuntu cosmic *
Gcc-arm-none-eabi Ubuntu disco *
Gcc-arm-none-eabi Ubuntu eoan *
Gcc-arm-none-eabi Ubuntu groovy *
Gcc-arm-none-eabi Ubuntu hirsute *
Gcc-arm-none-eabi Ubuntu impish *
Gcc-arm-none-eabi Ubuntu kinetic *
Gcc-arm-none-eabi Ubuntu lunar *
Gcc-arm-none-eabi Ubuntu mantic *
Gcc-arm-none-eabi Ubuntu trusty *
Gcc-arm-none-eabi Ubuntu xenial *
Gcc-arm-none-eabi Ubuntu zesty *
Gcc-avr Ubuntu artful *
Gcc-avr Ubuntu bionic *
Gcc-avr Ubuntu cosmic *
Gcc-avr Ubuntu disco *
Gcc-avr Ubuntu eoan *
Gcc-avr Ubuntu groovy *
Gcc-avr Ubuntu hirsute *
Gcc-avr Ubuntu impish *
Gcc-avr Ubuntu kinetic *
Gcc-avr Ubuntu lunar *
Gcc-avr Ubuntu mantic *
Gcc-avr Ubuntu trusty *
Gcc-avr Ubuntu xenial *
Gcc-avr Ubuntu zesty *
Gcc-defaults Ubuntu artful *
Gcc-defaults Ubuntu cosmic *
Gcc-defaults Ubuntu disco *
Gcc-defaults Ubuntu eoan *
Gcc-defaults Ubuntu groovy *
Gcc-defaults Ubuntu hirsute *
Gcc-defaults Ubuntu impish *
Gcc-defaults Ubuntu precise/esm *
Gcc-defaults Ubuntu trusty *
Gcc-defaults Ubuntu xenial *
Gcc-defaults Ubuntu zesty *
Gcc-defaults-arm64-cross Ubuntu trusty *
Gcc-defaults-armel-cross Ubuntu trusty *
Gcc-defaults-armhf-cross Ubuntu trusty *
Gcc-defaults-powerpc-cross Ubuntu trusty *
Gcc-defaults-ppc64el-cross Ubuntu trusty *
Gcc-h8300-hms Ubuntu artful *
Gcc-h8300-hms Ubuntu bionic *
Gcc-h8300-hms Ubuntu cosmic *
Gcc-h8300-hms Ubuntu disco *
Gcc-h8300-hms Ubuntu eoan *
Gcc-h8300-hms Ubuntu groovy *
Gcc-h8300-hms Ubuntu hirsute *
Gcc-h8300-hms Ubuntu impish *
Gcc-h8300-hms Ubuntu kinetic *
Gcc-h8300-hms Ubuntu lunar *
Gcc-h8300-hms Ubuntu mantic *
Gcc-h8300-hms Ubuntu trusty *
Gcc-h8300-hms Ubuntu xenial *
Gcc-h8300-hms Ubuntu zesty *
Gcc-i686-linux-android Ubuntu trusty *
Gcc-i686-linux-android Ubuntu xenial *
Gcc-i686-linux-android Ubuntu zesty *
Gcc-m68hc1x Ubuntu artful *
Gcc-m68hc1x Ubuntu bionic *
Gcc-m68hc1x Ubuntu cosmic *
Gcc-m68hc1x Ubuntu disco *
Gcc-m68hc1x Ubuntu eoan *
Gcc-m68hc1x Ubuntu groovy *
Gcc-m68hc1x Ubuntu hirsute *
Gcc-m68hc1x Ubuntu impish *
Gcc-m68hc1x Ubuntu kinetic *
Gcc-m68hc1x Ubuntu trusty *
Gcc-m68hc1x Ubuntu xenial *
Gcc-m68hc1x Ubuntu zesty *
Gcc-mingw-w64 Ubuntu artful *
Gcc-mingw-w64 Ubuntu bionic *
Gcc-mingw-w64 Ubuntu cosmic *
Gcc-mingw-w64 Ubuntu disco *
Gcc-mingw-w64 Ubuntu eoan *
Gcc-mingw-w64 Ubuntu groovy *
Gcc-mingw-w64 Ubuntu hirsute *
Gcc-mingw-w64 Ubuntu impish *
Gcc-mingw-w64 Ubuntu kinetic *
Gcc-mingw-w64 Ubuntu lunar *
Gcc-mingw-w64 Ubuntu mantic *
Gcc-mingw-w64 Ubuntu trusty *
Gcc-mingw-w64 Ubuntu xenial *
Gcc-mingw-w64 Ubuntu zesty *
Gcc-msp430 Ubuntu artful *
Gcc-msp430 Ubuntu bionic *
Gcc-msp430 Ubuntu cosmic *
Gcc-msp430 Ubuntu disco *
Gcc-msp430 Ubuntu eoan *
Gcc-msp430 Ubuntu groovy *
Gcc-msp430 Ubuntu hirsute *
Gcc-msp430 Ubuntu impish *
Gcc-msp430 Ubuntu kinetic *
Gcc-msp430 Ubuntu lunar *
Gcc-msp430 Ubuntu mantic *
Gcc-msp430 Ubuntu trusty *
Gcc-msp430 Ubuntu xenial *
Gcc-msp430 Ubuntu zesty *
Gcc-opt Ubuntu artful *
Gcc-opt Ubuntu trusty *
Gcc-opt Ubuntu zesty *
Gcc-snapshot Ubuntu artful *
Gcc-snapshot Ubuntu trusty *
Gcc-snapshot Ubuntu upstream *
Gcc-snapshot Ubuntu xenial *
Gcc-snapshot Ubuntu zesty *
Gccgo-4.9 Ubuntu trusty *
Gccgo-6 Ubuntu esm-infra/xenial *
Gccgo-6 Ubuntu xenial *

Extended Description

When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks. Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use